AWS takes data privacy very seriously, and maintaining customer trust is an ongoing commitment. Customers always manage access to their services and content. We do not access or use customer content for any purpose without the customer’s consent. Customers choose the region(s) in which their customer content will be stored. We will not move or replicate customer content outside of the customer’s chosen region(s) without the customer’s consent.

Understanding how to build healthcare applications on AWS means understanding the shared responsibility model. In the AWS Cloud, security is shared between AWS and the customer, meaning that certain elements of security - such as physical security of the underlying infrastructure - are now the responsibility of AWS. Customers are still responsible for other aspects of security, such as the security measures used to protect your applications - which is no different than if your application was running in a traditional data center.

You can use AWS to run sensitive workloads regulated under the U.S. Health Insurance Portability and Accountability Act (HIPAA). If you plan to include Protected Health Information (as defined by HIPAA) on AWS services, you must first accept the AWS Business Associate Addendum (AWS BAA). You can review, accept, and check the status of your AWS BAA through a self-service portal available in AWS Artifact.

Any AWS service can be used with a healthcare application, but only services covered by the AWS BAA can be used to store, process, and transmit Protected Health Information under HIPAA. Click here for some common strategies for architecting for HIPAA compliance on AWS.

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that delivers a standard approach to the security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP is mandatory for all US federal agencies and all cloud services, including the U.S. Department of Health and Human Services.

Two separate FedRAMP Agency authorizations have been issued; one encompassing the AWS GovCloud (US) Region, and the other covering the AWS US East/West regions.

AWS offers a wide range of certifications and attestations, covering compliance programs from around the globe. You can leverage these certifications and attestations to meet your additional compliance programs, such as the HITRUST Common Security Framework or programs offered by the Electronic Healthcare Network Accreditation Commission (EHNAC). You can also work with one of our partners that specialize in healthcare compliance.